Building a Successful Global IT Asset Disposition Program
IT equipment today is often the lifeline of any business, and while upkeep and proper maintenance is important, it is not easy. From maintenance and upgrades to the final disposal, each phase of managing the lifecycle of IT assets within an organization presents its own set of unique challenges.
Similar to IT asset management (ITAM) processes within an organization, the IT asset disposition (ITAD) process has matured in recent years. Companies have begun to understand data security and environmental compliance risks associated with disposition programs that do not follow rigorous processes. This is why over the last few years Sims Recycling Solutions has seen many global RFPs as companies started recognizing risks of inconsistent ITAD programs at their worldwide locations.
ITAD is the last stage [of the ITAM process] and too often becomes an afterthought; a “necessary evil” that carries with it significant risks without a thorough, detailed, end-to-end process that is consistently executed throughout your enterprise.
Noted Gartner, Inc. in the Gartner Market Guide for IT Asset Disposition, July 26, 2018.
Wondering where to start?
It does not always have to be as drastic as pulling out your current IT asset disposition program, tearing it up, and starting over; although that may be necessary in some cases. Start first by assessing your current situation, then understanding areas where you can improve to ensure your program will be successful.
Assessing the Situation
Perhaps you are unsure if your IT asset disposal and electronic recycling program could be vulnerable to security threats. The following checklist will help you understand your program’s current strengths and weaknesses, allowing you to create an action plan for improvement.
Do any of these sound familiar?
- I have no clear audit trail for corporate and regulatory compliance (Regulatory Environment)
- I have insufficient/no visibility into data destruction, chain-of-custody (Corporate Policies)
- I do not have consistent asset reports, invoices, or certificates of data destruction (Corporate Policies)
- My disposal program is not aligned to our corporate risk management program (Corporate Policies)
- I do not have a defined process for securely handling data bearing equipment (Corporate Policies)
- It is difficult for me to get accurate asset lists from different locations (Operations)
- I have trouble determining asset condition, count, and age for each location (Operations)
- I have an IT asset disposition process that is different from other locations. (operations)
- I have inconsistent billing and no overall visibility of total costs (Operations)
- I have no guidance on how to manage retired IT assets within our corporate data privacy program. (Operations)
- I do not have a line item in my budget to manage my ITAD program, or for asset disposition activities. (Operations)
- I manage multiple vendors who were on-boarded years ago with regional vs. global focus (Vendor Selection)
- My current vendors cannot fulfill all of my needs I have today (Vendor Selection)
If you checked any box off this list, you should review, update and add to your IT asset disposition program plan. Use the following chart to determine what areas you want to focus on the most.
What is important to consider?
Global Data Privacy Regulations
In May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect. GDPR is a huge legislative change in Europe that outlines significant financial penalties for non-compliant handling of EU citizens’ data. It does not matter where you are based, where you do business or where your headquarters is located. If your company handles, processes, or stores data of EU citizens, you need to be GDPR compliant. The consequences of non-compliance are severe. Companies can face fines of up to €20,000,000 or 4 percent of global revenue.
In the United States, there is a patchwork of different legislation for different industries including:
- The Health Insurance Portability and Accountability Act (HIPAA) of 1996 which protects healthcare patient data,
- The Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA) which are directed at financial institutions,
- The Payment Card Industry Data Security Standard (PCI DSS) which applies to companies who accept credit card payments,
- and the Family Educational Rights and Privacy Act (FERPA) legislation that protects the privacy of students by ensuring their education records are protected.
Australia has an Australian Privacy Act that requires individuals be notified if their personal information was involved in a data breach. Last February 2018, the Australian government established a privacy amendment titled the Notifiable Data Breaches Act 2017. This scheme affects those under the Australian Privacy Act and requires them to take steps to secure certain categories of personal information.
With so many tightened data security requirements, companies are taking steps to develop more structured and formalized ITAD programs that are compliant with industry and privacy legislation and corporate risk management programs.
Global E-Waste Legislation
Legislation governing how e-waste is disposed of is inconsistent regionally and globally. Batteries, toner, ink, mercury bulbs and leaded glass from CRT monitors are common items requiring special handling when recycling electronics.
There have been significant industry issues with e-waste being illegally exported and dumped in developing countries causing human health and environmental issues. With the patchwork of inconsistent legislation, most companies take their own proactive stance in auditing vendors to ensure e-waste disposal is managed responsibly.
Evaluating Regulatory and Corporate Requirements
Regulatory compliance efforts can be further complicated when companies operate in multiple locations and face regulations that vary by country. For global IT asset disposition, questions that typically come up include:
- What industry regulations need to be considered in each country regarding data privacy?
- Is there legislation regarding e-waste disposal?
- What changes on the horizon may affect how you dispose of e-waste?
- Are there any industry regulatory changes in the countries you operate, that impact your ITAD program? (GDPR in the EU is a good example of a recent major update.)
Corporate Management Considerations
Corporate risk management, business continuity and data security policies can all impact your global ITAD program. A data destruction plan for media storage devices is critical when removing IT equipment and electronic assets from your live environment. This should reflect the same risk protection as outlined in your corporate data security policies.
IT asset disposition or “ITAD”, as a term, did not exist ten years ago. Historically, disposing of retired IT equipment was a financial calculation. Considerations focused on what,
- You paid for the equipment,
- You could resell your equipment for, and
- Someone would pay to recycle this equipment.
There were few additional considerations in most cases.
As data risks became more publicized and data threats more intimidating, companies began to dedicate resources to ensure data destruction of information stored on retired IT assets. Companies have a vested interest in protecting confidential corporate information such as trade secrets, sales records, copyright and intellectual property, as well as customer data.
Global companies often face the challenge of consistently managing data destruction processes from country to country at smaller offices with remote employees.
On top of managing inventory, these global companies must also consider changes to data bearing devices over time. For instance, it took several years for all-in-one copiers and printers to be recognized as “data bearing devices” after they were equipped with hard drives to support electronic document storage. As the internet of things (IoT) age is upon us and all our devices today become “smarter”, regular reassessment of data risks on retired IT assets and equipment will be critical.
After removing data bearing assets from your live environment, it is important to have a plan in place to ensure all data is destroyed.
Overview of an ITAD Program
Companies are taking a closer look at e-recycling and ITAD vendor’s infrastructure. Having a better understanding of their ITAD and data destruction services will help ensure their corporate interests are protected and are compliant with relevant regulations.
Fragmented ITAD and Computer Recycling Programs
Different programs at each company location. It has been common for IT equipment disposal programs and plans to be managed separately at each location. Seldom has this task been part of anyone’s job description nor provided in any formalized manner.
Data security has too often not been a primary consideration, and many times, there has been no documentation of how equipment was disposed of and how data was destroyed. This fragmented opaque situation is no longer acceptable today.
Know What You Have — Operational Challenges for Multi-site Locations
The first obstacle many companies face in trying to manage a global ITAD program is a black hole of information. It can be difficult to assess what assets you have, where they are located and how each location handles removing IT assets from your live environment. You cannot manage what you cannot measure.
Common challenges include:
- Ad-hoc approach at each facility,
- Inconsistent and undocumented processes,
- Undefined job description/ownership,
- No central control or reporting,
- Lack of training, and
- Multiple vendors (and multiple ways of doing things).
Global Data Privacy Regulations
The ITAD services required at each location will vary by client. In general, services offered by IT asset disposition providers are categorized by location, either at the:
- Client’s location (on-site services), or
- Vendor facility (off-site services).
Moving IT assets between two locations is also important for full accountability, especially for any data bearing devices. This diagram provides an overview of the structure of a typical ITAD program.
On-site ITAD Services (at client location) include:
- Decommissioning of IT assets
- Secure asset storage (between vendor pickups)
- Data destruction
- Inventory reconciliation (verification of make, model, serial number and asset tag, cross-referenced to internal lists)
- Packing of IT assets
It is important to know the correct transport service is provided to ensure chain-of-custody is defined, known and consistent with the risk associated with assets to be transported.
Off-site services (at service provider location) includes:
- Data destruction (if not done at client location)
- Resale of IT assets
- Parts harvesting (if applicable)
At a high level, there are other vendor qualifications and capabilities to consider. To ensure credibility of the business you should consider the company size, longevity, number of employees, and understand what percent of their business is dedicated to ITAD services.
When it comes to execution, you can ask yourself these questions.
- Do they have the infrastructure to support a global program?
- Does their footprint align to our footprint?
- How do they “fill in gaps” for services they do not provide directly?
- Can they demonstrate they can provide systematic and secure support?
- Can they support our data destruction requirements?
- Are they familiar with country regulations for handling data? E-waste? Billing?
- Do they operate to industry standards?